Aqua News Aqua Nautilus Reveals Millions of Potential Kinsing Attacks Daily

New research proves Kinsing an ongoing threat; discloses evolving tactics and challenges facing organizations worldwide

SAN FRANCISCO—MAY 6, 2024—Aqua Security, the pioneer in cloud native security, today published a new report, “Kinsing Exposed: From Myth to Architecture – A Complete Cybersecurity Chronicle.” Aqua Security’s research team, Aqua Nautilus, invested years of research and analysis into understanding Kinsing, identifying more than 75 applications actively exploited by Kinsing. The comprehensive report highlights the infrastructure, tactics, techniques and modus operandi of Kinsing and highlights the threat posed by Kinsing to enterprises worldwide.

First emerging as a cybersecurity threat in 2019, Kinsing targeted cloud native infrastructure, such as misconfigured APIs, but the threat actor quickly spread attacks across popular cloud native applications globally. The Nautilus team has been at the forefront of monitoring Kinsing’s activities and named the malware in 2020. Nautilus’ work shown in this report provides invaluable intelligence to the cybersecurity community, offering strategies for security teams to better mitigate associated risks.

Despite efforts to disrupt its activities, Kinsing continues to evolve and adapt, posing a persistent challenge to organizations worldwide. Nautilus found that on average, honeypots were targeted by Kinsing eight times per day, with figures ranging from three to fifty attacks in a 24-hour period.

Other key findings include:

  • Rapid Botnet Vulnerability Integration: Kinsing has shown repeatedly the ability to swiftly integrate to its botnet exploits of newly discovered vulnerabilities in popular cloud native applications.
  • Global Impact: The Kinsing malware’s reach extends globally, with Shodan scans revealing potentially millions of daily attacks, emphasizing the scale of the threat and the need for international collaboration in defense efforts.
  • Diverse Tactics: The report highlights how Kinsing tailored its campaigns to maximize the impact of each attack. For instance, by tailoring the main payload based on the command interpreter. Kinsing is using dedicated scripts that run on `sh` (Shell) command interpreter with basic features on Unix systems, while on systems with `bash` (Bourne Again Shell), which is an enhanced version of `sh` that includes additional features (such as command line editing, job control, and improved scripting capabilities), Kinsing is running more features.

“Kinsing’s ongoing campaigns represent its dedication to evolving its operation to add new vulnerabilities and misconfigurations in cloud native environments. This adversary often acts faster than the defenders and demonstrates the clear and present danger to organizations of all sizes,” emphasized Assaf Morag, director of threat intelligence for Aqua Nautilus. “Our report serves as a stark reminder of the pervasive risk posed by Kinsing, and implores the cybersecurity community and leaders, such as Aqua, to remain vigilant and united in the face of this threat.”

Armed with anonymity, Kinsing exploits vulnerabilities or misconfigurations in applications, executes infection scripts, deploys cryptominers often concealed by rootkits, and maintains control over servers using the Kinsing malware. This multi-layered approach further proves the need for robust cybersecurity measures to detect, mitigate, and prevent insidious attacks from the malware.

“The depth of detail presented in our report is a testament to our team’s longstanding commitment to understanding and combating the threat of Kinsing,” said Morag. “Through years of continuous tracking and analysis, we are able to present a more holistic and robust report that provides a comprehensive understanding of Kinsing’s modus operandi and better tools to defend against it.”

To equip your security team with this new research and recommendations for protection, download the new report first discussed at RSA Conference 2024.

About Aqua Nautilus

Aqua Nautilus is a security research team whose mission is to analyze the evolving cloud native threat landscape, uncovering new threats targeting containers, Kubernetes, serverless, applications’ software supply chains and cloud infrastructure. The team aims to help Aqua customers and the community at large protect against the unknown, zero-day and emerging threats, turning insights from real-world attacks into powerful, intelligence-driven protection within the Aqua Platform.

About Aqua Security

Aqua Security sees and stops attacks across the entire cloud native application lifecycle in a single, integrated Cloud Native Application Protection Platform (CNAPP). From software supply chain security for developers to cloud security and runtime protection for security teams, Aqua helps customers reduce risk while building the future of their businesses. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL protecting over 500 of the world’s largest enterprises. For more information, visit